Introduction
This page describes how Alexis Huxley installed and configured his DNS server.
Procedure
Prologue
- This procedure uses some environment variables, so set them:
MY_IPADDR=<ip-addr> # E.g. MY_IPADDR=192.168.1.21 NETMASK=<netmask> # E.g. NETMASK=255.255.255.0 NETWORK=<network-addr> # E.g. NETWORK=192.168.1.0 GATEWAY_IPADDR=<gateway-ipaddr> # E.g. GATEWAY_IPADDR=192.168.1.1 DNS_DOMAIN=<dns-domain> # E.g. DNS_DOMAIN=pasta.net DHCPSERVER_MIN_IPADDR=<min-ipaddr-to-give> # E.g. DHCPSERVER_MIN_IPADDR=192.168.1.101 DHCPSERVER_MAX_IPADDR=<max-ipaddr-to-give> # E.g. DHCPSERVER_MAX_IPADDR=192.168.1.110
DNS server
- Install the packages required for the DNS server by running:
apt-get install bind9
- Initialise the local configuration by running:
> /etc/bind/named.conf.local # Stop lots of IPv6 errors log entries by disabling IPv6 support echo "OPTIONS=\"-u bind -4\"" >> /etc/default/bind9 perl -pi -e 's@(listen-on-v6)@// $1@' /etc/bind/named.conf.options
- Define local domains in /etc/bind/named.conf.local, by adding something like the following to /etc/bind/named.conf.local:
# # This is /etc/bind/named.conf.local # zone "pasta.net" { type master; file "/etc/bind/db.pasta.net"; allow-update { key rndc-key; }; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/db.1.168.192"; allow-update { key rndc-key; }; }; include "/etc/bind/rndc.key";and by creating the corresponding zone files, as in these examples:
# # This is /etc/bind/db.pasta.net # $ORIGIN . $TTL 604800 ; 1 week pasta.net IN SOA pasta.net. root.pasta.net. ( 2009112764 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) NS macaroni.pasta.net. $ORIGIN pasta.net. fiori A 192.168.1.6 fregula A 192.168.1.1 gate CNAME fregula gateway CNAME fregula macaroni A 192.168.1.76 spaetzle A 192.168.1.21 ns CNAME macaroni router CNAME fregula torchio A 192.168.1.7and
# # This is /etc/bind/db.1.168.192 # $ORIGIN . $TTL 604800 ; 1 week 1.168.192.in-addr.arpa IN SOA pasta.net. root.pasta.net. ( 2009112324 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) NS macaroni.pasta.net. $ORIGIN 1.168.192.in-addr.arpa. 1 PTR fregula.pasta.net. 21 PTR spaetzle.pasta.net. 6 PTR fiori.pasta.net. 7 PTR torchio.pasta.net. 76 PTR macaroni.pasta.net. - Be sure that the zone files are owned by bind:bind (as the bind daemon may need to update them).
- bind9’s post-install script created a database update key in /etc/bind/rndc.key. The syntax of this file is understood by both bind9 and the ISC DHCP server, which means that the DHCP server can use it to authenticate itself with the DNS server when the DHCP server needs to tell the DNS server to add or delete entries in its database.
- There is no need, but if you want to, you can generate an alternative key by running something like:
dnssec-keygen -a hmac-md5 -b 128 -n USER <name-of-key-which-might-be-the-domain-name>
(Note that this procedure assumes the name of the key is ‘rndc-key’!)
- In order that the bind process can write entries to the journal (when the DHCP server process asks it to), make sure that the permissions of /etc/bind are as follows:
fiori# ls -ld /etc/bind drwxrwsr-x 2 root bind 4096 Jun 9 19:57 /etc/bind fiori#
- In /etc/resolv.conf, make sure the nameserver is set to 127.0.0.1.
- Run:
service bind9 restart
- Test!
DHCP server
- Install the packages required for the DNS server by running:
apt-get install isc-dhcp-server
- Set up a basic DHCP configuration file by running:
{ echo "option domain-name \"$DNS_DOMAIN\";" echo "option domain-name-servers $(hostname -f);" echo "authoritative;" echo "ddns-update-style interim;" echo "update-static-leases on;" echo "option routers $GATEWAY_IPADDR;" echo "subnet $NETWORK netmask 255.255.255.0 {" echo " # With this pool uncommented, anybody can get an IP address." echo " pool {" echo " range $DHCPSERVER_MIN_IPADDR $DHCPSERVER_MAX_IPADDR;" echo " ddns-updates on;" echo" }" echo echo " # With this pool uncommented, the specified machines can get an IP address" echo " #pool {" echo " # range 1.2.3.1 1.2.3.100;" echo " # deny unknown-clients;" echo " # ddns-updates on;" echo " # host ravioli { hardware ethernet 00:11:22:33:44:55; }" echo " # ..." echo " #}" echo echo " # With this pool uncommented, the specified machines get a specific IP address, as specified in DNS." echo " #pool {" echo " # range 1.2.3.4 5.6.7.8;" echo " # deny unknown-clients;" echo " # host linguine { hardware ethernet 00:11:22:33:44:55; fixed-address linguine.pasta.net; }" echo " # ..." echo " #}" echo "}" } > /etc/dhcp/dhcpd.conf - Tailor /etc/dhcp/dhcpd.conf to suit local needs.
- Allow the DHCP server to communicate with the DNS (master) server by adding something like the following to /etc/dhcp/dhcpd.conf:
include "/etc/bind/rndc.key"; zone pasta.net { primary localhost; key rndc-key; } zone 1.168.192.in-addr.arpa { primary localhost; key rndc-key; } - Reload the updated configuration file by running:
service isc-dhcp-server restart
- Test!
DNS master/slave server
- Configure both the nominated DNS master server and DNS slave server as DNS servers, as described above.
- On the DNS master server, add the following line to all zone stanzas in /etc/bind/named.conf.local:
zone ... { ... allow-transfer { <slave-server-ipaddr>; }; ... }; - On the DNS slave server, define the zones by replacing /etc/bind/named.conf.local with something like:
# # This is named.conf.local # zone "pasta.net" { # Note omission of 'allow-update' cos dhcpd always sends to master type slave; masters { 192.168.1.21; }; file "/var/cache/bind/pasta.net.zone"; }; zone "1.168.192.in-addr.arpa" { type slave; masters { 192.168.1.21; }; file "/var/cache/bind/1.168.192.zone"; };and remove the corresponding zone files from /etc/bind (these will be retrieved automatically by the slave server and cached in a different directory).
- On both the master and slave DNS servers, run:
service bind9 restart
- Test!
DHCP master/slave server
- Configure both the nominated DHCP master server and DHCP slave server as DHCP servers, as described above.
- On the DHCP master server, add the following to /etc/dhcp/dhcpd.conf before the subnet/pool declarations:
failover peer "failover-cfg-1" { primary; address <my-ipaddr>; port 647; peer address <dhcp-slave-ipaddr>; peer port 647; max-response-delay 60; max-unacked-updates 10; mclt 3600; split 128; load balance max seconds 3; } - On the DHCP slave server, add the following to /etc/dhcp/dhcpd.conf before the subnet/pool declarations:
failover peer "failover-cfg-1" { secondary; address <my-ipaddr>; port 647; peer address <dhcp-master-ipaddr>; peer port 647; max-response-delay 60; max-unacked-updates 10; mclt 3600; # Note omission of 'split' which only server needs load balance max seconds 3; } - On both the master and slave DHCP servers, add the following to all pool declarations:
subnet ... { pool ... { ... failover peer "failover-cfg-1"; ... } pool ... { ... failover peer "failover-cfg-1"; ... } ... } - Copy /etc/bind/rndc.key from the master DNS server to the slave DHCP server (the slave DHCP server will need this to send DNS updates to the DNS master server).
- On both the master and slave DHCP servers, run:
service isc-dhcp-server restart
- Test!
- If the system is to be a DNS server and internet-resolvable hostnames need to be used on the home network, then use dnsmasq and bind in combination.
- Test!